Cybersecurity agencies have issued a warning about a critical vulnerability in Citrix application delivery controllers and gateways known as CVE-2023-4966 or “Citrix Bleed.” This vulnerability allows attackers to bypass authentication and gain deep access to networks, making it easy for them to deploy ransomware and extract sensitive data. Affected versions of Citrix software include NetScaler ADC and NetScaler Gateway 14.1, 13.1, and 13.0.
LockBit ransomware gang affiliates are actively exploiting this vulnerability to compromise organizations across various sectors. High-profile targets like Boeing have fallen victim to attacks, where ransomware was deployed, and employee data was exfiltrated. There has been an increase in activity on cybercrime forums, with users sharing proof of concepts on exploiting the vulnerability.
Detection methods include looking for specific file names, investigating HTTP/S requests, monitoring login patterns, and analyzing Windows Registry keys. Mitigation recommendations include isolating NetScaler appliances, securing remote access tools, limiting RDP usage, restricting PowerShell, and keeping systems up to date.
To protect against data theft and ransom demands, organizations are advised to employ endpoint security tools like anti-data exfiltration (ADX), which constantly monitors outgoing traffic for suspicious data transfers. ADX tools provide automated protection, stopping unusual data transfers before sensitive information is compromised. BlackFog offers a free ransomware assessment to help organizations enhance their security posture and protect against cyber threats.
Article Source
https://securityboulevard.com/2024/03/lockbit-ransomware-affiliates-leverage-citrix-bleed-vulnerability-cve-2023-4966/amp/
